Phishing, the hook in your inbox

share post

The phishing It is a technique in which a cybercriminal sends an email to a user pretending to be a legitimate entity (social network, bank, public institution, etc.). The goal is to steal private information, make financial charges or infect the device. To achieve this they attach infected files or links to fraudulent pages in the email.

What are the most common online frauds?

Among the most common cases is email spoofing (email spoofing). Through this technique, cybercriminals send emails with a false sender to send spamspread malware or carry out attacks phishing impersonating the identity of profiles with decision-making capacity in the company, suppliers, customers, etc. 

Among the main cases of fraud, in which identity theft is used, it is worth highlighting:

  • Fake Microsoft support: Fraud in which the scammer pretends to be a technician from this company under the pretext of solving certain technical problems in the equipment. The objective is mainly to obtain confidential information from the company.
  • The CEO Fraud: consists of deceiving an employee with the ability to make bank transactions or access company account data. He receives an email, supposedly from his boss (he may be the CEO, president or director of the company), in which he is ordered to carry out an urgent confidential financial operation. The goal is to transfer company funds to the scammer's account.
  • HR fraud: in this case the mail is addressed to the HR staff pretending to be an employee requesting a change of account for the entry of their payroll. Like CEO fraud, the goal is for the company to transfer money to the scammer's account.

Another of the most common frauds is extortion, in which the cybercriminal blackmails the victim with content that he presumes to have in his possession. In the section of notices We find examples like:

  • Sextortion campaign: This type of campaign has many variants, since cybercriminals slightly change the content of the message. The objective is to extort money from the recipients with an alleged video of sexual content, which will be sent to the victim's contact list if the victim does not enter the amount demanded in bitcoin by cyber criminals.

Some recommendations to avoid these attacks:

  • Be wary of emails that appear to be from banks or known services (Dropbox, Facebook, Google Drive, Apple ID, Post and Telegraph, Tax Agency, etc.), you should always be suspicious of alarmist messages or urgent requests.
  • Suspect if there are grammatical errors in the text, they may have used an automatic translator to write the trap message. No reputable service will send poorly worded messages.
  • Communications of the type "Dear customer", "Notification to user" or "Dear friend", are usually a sign of alert.
  • If the message forces you to make a decision imminently or in a few hours, that's a bad sign. Contrast directly whether the urgency is real or not directly with the service or by consulting other trusted sources of information: the OSI, the Police, the Civil Guard, etc.
  • Check if the text of the link provided in the message matches the address it points to, and that it corresponds to the URL of the legitimate service.
  • A reputable service will use its own domains for corporate email addresses. If you receive the communication from a mailbox type, or any other similar, be suspicious.
  • Apply the equation: request for bank details + personal details = fraud.

How can we identify a malicious email?

We receive hundreds of fraudulent emails in our inboxes and although most of them are deleted, others achieve their goal: to be read.

How can we identify these emails so as not to take the bait?

  1. – You should look at the sender, did you expect to receive an email from that entity or person?
  2. – Does the email subject capture your attention? If so, you suspect that most fraudulent emails use flashy or shocking subject lines.
  3. What is the purpose of the mail? If it is the request for your personal data, it has to be an indicator to turn on the alarms. Services such as mail or household supplies will not ask you for this information.
  4. Writing: Are there misspellings or poor writing? Remember that a service provider will never send an email with bad syntax, if you detect this then it is probably a fraud.
  5. Links: do the links lead to a legitimate page? Place the mouse over the link without opening it, if it does not correspond to the real website of the institution that is contacting you, then do not open it.
  6. Does the email contain an unexpected or suspicious attachment? If the answer is yes, it is best not to open them.

Why is it called that?

Ransomware is formed by joining the words "ransom" (from English, ransom) and "ware" (product or merchandise, in English). 

Once the criminal encrypts the data, he demands a ransom from the victim, via a message or pop-up window, performing a virtual hijack. 

This threatening-tone message warns the victim that the only way to decrypt their files, recover their system, or avoid possible information leakage is to pay a ransom. 

They usually include a time limit to pay, before the total destruction of the hijacked files occurs, their publication or an increase in the value of the ransom, if it is not paid on time. Generally, the ransom is requested through some cryptocurrency (virtual currency) such as bitcoins. They often use "mules", which are intermediaries who transfer the money 

In exchange for payment, cybercriminals promise to provide the mechanism to unlock the computer or decrypt the files. However, this does not guarantee 100% that cybercriminals comply with the agreement; for this reason, it is recommended not to pay the ransom to prevent the proliferation of such threats. 

Bailout in cryptocurrencies, why?

Cryptocurrencies are virtual currencies that allow almost anonymous payment between individuals, which makes it difficult to trace them.

They are accessible from the anonymous Tor network; There, the funds from different portfolios are mixed, carrying out a kind of laundering of the cryptocurrency that makes it difficult to follow the trail of transactions. This makes it easy for cybercriminals to extort money from their victims without the police being able to immediately track them down. 

How does the infection occur?

As with other types of malware, cybercriminals use one or more of these routes to infect the victim; They take advantage of security holes (vulnerabilities) in computer software, operating systems, and applications. 

Types and action

Each type of Ransomware acts and penetrates security differently, although they are all based on the same characteristic. From minor to major importance we can classify them in:

Hoax ransomware: It simulates encryption using social engineering techniques to extort money from the user, demanding payment to recover their files or prevent them from being deleted.

Scarware: uses the lure of fake software or support. It usually appears in the form of a pop-up ad reporting a suspected virus infection and provides a quick and easy solution by downloading a cleaning program that is almost always malware.

Screen lockers: They prevent the use of the device by displaying a window that occupies the entire screen and cannot be closed. Two types of messages may appear in the window: on the one hand, the file encryption and the procedure to recover them are reported, but the files are intact. On the other, a message from the security forces appears indicating that illegal activities have been detected and a penalty is requested to unlock the computer. It is also known as the police virus.

Encrypting Ransomware: considered the most dangerous of all. Its main objective is the encryption of information to demand a ransom. Cybercriminals make use of the latest advances in encryption from 2 Ransomware.

Within this variant there is a call wiper, it doesn't return access to the files, it just deletes them.

There is also the variant doxware that uses a technique known as "doxing", this consists of threatening the user with making the extracted personal data public.

Prevention / Think like a hacker:

Many experts affirm that the best prevention for Ransomware is to put yourself in the shoes of hackers and think as they would. To prevent and anticipate it is necessary to put on the mask. For many companies it is not a shame to hire ethical hackers or ex-hackers to improve the security of their company.

    1. Awareness and training of employees and users.
  • Updated antivirus.
    1. requests dangerous pop-up installation.
  • Click on links.
    1. downloads of applications of unknown sources.
  • Backups.
    1. Update of the operating system and applications.
  • Control of privileges.
    1. anti phishing solution for email.
  • action plan

With this real time map created by Kaspersky, all kinds of attacks (including Ransomware) can be observed in real time.

Awareness is the first step to prevention, which is why Ransomware is not one of the largest cyberattacks numerically, although seeing the increase per second is shocking.

Spain is the 9th most attacked country according to graphics obtained by Kaspersky. With this graph we can also see the global need for cybersecurity.

Real case of CEO fraud:

This story tells the case of Aurora and Sergio, titular brothers and owners of a physiotherapy clinic located in the center of Cantabra. 

In the clinic they have a staff of 13 workers, 9 physiotherapists and 2 administrative staff for the management of the clinic and the two of them, in addition to being owners, carry out field work. 

One day one of the administrators, Alfonso, received an email on his mobile device, supposedly from Aurora, asking for speed to carry out a confidential and very urgent financial operation:

Alfonso, unaware of the situation, quickly responded in the affirmative. If we carefully observe the email from the alleged Aurora, it contained significant writing errors that could have raised some type of suspicion.

Cybercriminals responded quickly but made a mistake, asking for sensitive data such as account balance, for the purchase of a new machine and this was not in line with the clinic's strategy and good daily practices.

At this point, Alfonso quickly contacted Aurora to ask if it had indeed been her. Automatically both realized that the clinic had been the object of an information theft attempt through phishing

How did they carry out the deception?

This hoax, also known as whaling for being phishing Aimed at "big fish", its operation is based on sending a fraudulent email to a high-ranking employee, accountant or with the ability to access sensitive data, personal or banking information, making him see that the sender is the CEO or maximum agent of his organization. This message usually asks for help to carry out a confidential and urgent financial operation. 

Real case of fake technical support:

Luis is the owner of a small online store managed from his office in Seville.

One day he received a phone call from a person claiming to be from Microsoft in London. The interlocutor who spoke in English with a threatening tone explained that they had received numerous reports of the company's computers with errors and security warnings, indicating that these computers were in danger and could be blocked, which could affect their work. .

Suspicious, Luis asked the operator to identify the affected equipment and also how he had linked the IP of his equipment with his phone number. Automatically the operator answered him evasively and raising his threatening tone. He finally threatened him with blocking his equipment and business activity and then finally hung up the phone.

What could have happened?

Cybercriminals gain the trust of victims by offering to fix the problem, asking for computer access credentials or installing remote control tools in order to connect and fix the problem. Once this is done, the computer and the sensitive information it contains are vulnerable. With the data provided and control of the computer, they can: hijack the computer and demand a ransom for its release, even steal data or carry out economic transactions if we have given them the bank details or store them by default on the computer.

More than 1 million licensed users

More than 5 million recipients 

Contact us for more information: [email protected]

More articles